$30 off During Our Annual Pro Sale. View Details »

AWS Control Tower

AWS Control Tower

AWS Control Tower ist die einfachste Methode zur Einrichtung und Kontrolle einer neuen, sicheren AWS-Umgebung. Der Vortrag geht auf den Sinn und Zweck einer Multi-Account Strategie ein und zeigt Zusammenhänge des neuen AWS Control Tower Service mit der bisherigen Landing Zone Solution und AWS Organizations auf. Teilnehmer haben am Ende des Vortrags das nötige Rüstzeug, um eine Well-Architected-Umgebung zu erstellen, in der sie Sicherheits-, Betriebs- und Compliance-Regeln zur Steuerung ihrer AWS-Workloads verwalten können.
https://aws.amazon.com/de/controltower/

Dennis Kieselhorst

January 08, 2020
Tweet

More Decks by Dennis Kieselhorst

Other Decks in Technology

Transcript

  1. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
    Dennis Kieselhorst
    Sr. Solutions Architect
    AWS Control Tower

    View Slide

  2. Agenda
    • Motivation - Why a multi-account strategy/ landing zone?
    • AWS Control Tower value proposition
    • A landing zone, the AWS Landing Zone solution and AWS Control
    Tower
    • AWS Control Tower – Enable, Provision, Operate
    • Demo
    • Q&A

    View Slide

  3. Why one AWS account isn’t enough
    Billing
    Many teams
    Security / compliance
    controls
    Business process
    Isolation

    View Slide

  4. Isolation with IAM and VPC in one account?
    “Gray” boundaries
    Complicated and messy over time
    Difficult to track resources
    People stepping on each other
    AWS Account

    View Slide

  5. Customers are faced with…
    Many
    design decisions
    The need to configure
    multiple accounts &
    services
    Establishing
    a security baseline &
    governance

    View Slide

  6. You need a “landing zone”
    • A configured, secure, scalable, multi-account
    (multiple resource containers) AWS environment
    based on AWS best practices
    • A starting point for net new development and
    experimentation
    • A starting point for migrating applications
    • An environment that allows for iteration and
    extension over time
    H

    View Slide

  7. Balancing the needs of builders and central cloud IT
    Builders:
    Stay agile
    Innovate with the speed and
    agility of AWS
    Cloud IT:
    Establish governance
    Govern at scale with
    central controls

    View Slide

  8. Business agility and governance control
    Governance

    Agility

    Self-service access
    Experiment fast
    Respond quickly
    to change

    View Slide

  9. landing zone, AWS Landing Zone, AWS Control Tower
    landing zone:
    • Secure pre-configured environment for your AWS presence
    • Scalable and flexible
    • Enables agility and innovation
    AWS Landing Zone Solution:
    • Implementation of a landing zone based on multi-account strategy guidance
    AWS Control Tower:
    • AWS Service version of AWS Landing Zone

    View Slide


  10. Provision

    Operate
    AWS Control Tower: Easiest way to set up and govern
    AWS at scale

    Enable
    Business agility + governance control

    View Slide


  11. Provision

    Operate
    AWS Control Tower: Enable for governance at scale

    Enable
    Business agility + governance control

    View Slide

  12. Enable governance Enable
    Set up an AWS
    landing zone
    Establish
    guardrails
    Automate compliant
    account provisioning
    Centralize identity
    and access
    Manage
    continuously

    View Slide

  13. Set up an AWS landing zone
    Master account
    AWS Control Tower AWS Organizations AWS Single
    Sign-On
    Stack sets AWS Service
    Catalog
    Log archive
    account
    Aggregate
    AWS CloudTrail
    and AWS Config
    logs
    Account
    baseline
    Audit account
    Security cross-
    account roles
    Account
    baseline
    Provisioned
    accounts
    Network
    baseline
    Account
    baseline
    Security
    notifications
    Core OU Custom OU AWS SSO
    directory

    View Slide

  14. Multi-account architecture
    • Baseline Organizations setup:
    • Core OU: AWS Control Tower baseline
    accounts (cannot change)
    • Custom OU: Your provisioned
    accounts
    Master account
    Organizations
    Log archive
    account
    Audit account Provisioned
    accounts
    Core OU Custom OU

    View Slide

  15. Demo

    View Slide

  16. Starter AWS multi-account framework
    AWS Cloud
    AWS Organizations
    Foundational Organizational Units (OUs)
    Security (Core OU) Infrastructure
    Δ Shared Services
    Δ Network
    Additional OUs

    View Slide

  17. Starter AWS multi-account framework
    AWS Cloud
    AWS Organizations
    Foundational Organizational Units (OUs)
    Security (Core OU) Infrastructure
    Δ Log Archive
    Δ Security Tooling
    Δ Shared Services
    Δ Network
    Additional OUs
    Control Tower deploys these automatically

    View Slide

  18. High-level OU structure
    AWS Cloud
    AWS Organizations
    Master
    Foundational Organizational Units (OU) Additional OU
    Infrastructure
    Δ Shared Services
    Δ Network
    Security (Core OU)

    View Slide

  19. Recommended AWS multi-account framework
    AWS Cloud
    AWS Organizations
    Master
    Foundational Organizational Units (OU)
    Infrastructure
    Δ Shared Services
    Δ Network
    Additional OU
    Security (Core OU)

    View Slide

  20. Centralize identity and access
    • AWS SSO provides default directory for identity
    • Preconfigured groups and permission sets
    • Option to integrate with your managed or on-premises
    Active Directory (AD) using AWS Managed Microsoft AD
    • How to integrate with Okta: https://tinyurl.com/y3226978

    View Slide

  21. Service Control Policies (SCPs)
    • Enables you to control which AWS service APIs are accessible
    - Define the list of APIs that are allowed – whitelisting
    - Define the list of APIs that must be blocked – blacklisting
    • SCPs are:
    Invisible to all users in the child account, including root
    Applied to all users in the child account, including root
    • Permission:
    intersection between the SCP and IAM permissions
    IAM policy simulator is SCP aware

    View Slide

  22. Disable Service APIs you Won’t be Using
    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Effect": "Deny",
    "Action": ”:*",
    "Resource": "*"
    }
    ]
    }
    NotAction
    (Optional) List the AWS actions exempt from the SCP. Used in place of
    the Action element.
    Resource List the AWS resources the SCP applies to.
    Condition (Optional) Specify conditions for when the statement is in effect.

    View Slide

  23. Organizational Units
    • Grouping of AWS Accounts
    • Service Control Polices (SCP) to the groups
    • Use permission grouping (NOT corporate structure)
    How likely is the group to need a set of similar policies?

    View Slide

  24. Establish guardrails
    • Preventive: prevents policy violations using
    SCPs
    • Detective: detect policy violations using AWS
    Config rules
    • A guardrail can be: mandatory, strongly
    recommended, or elective
    • Guardrails apply to organizational units (OUs)
    and all child accounts (new and existing)
    Organizational
    units
    Accounts
    Enable
    Enable
    Output
    Output
    Output
    Organizational
    units
    Accounts
    Preventive guardrail
    Granular AWS
    policies
    SCP
    Detective/remediable
    guardrails
    Granular
    AWS policies
    AWS Config
    rules
    Always
    compliant
    Non-
    compliant
    Compliant

    View Slide

  25. Guardrail examples
    Goal/Category Example
    IAM Require MFA for root user
    Data security
    Disallow public read access to Amazon S3 buckets
    Disallow public access to Amazon RDS database instances
    Network
    Disallow internet connection via Remote Desktop Protocol (RDP)
    Disallow internet connection through SSH
    Audit logs Enable AWS CloudTrail and AWS Config
    Monitoring Disallow policy changes to log archive
    AWS Control Tower
    setup
    Disallow changes to IAM roles set up by AWS Control Tower
    Operations Disallow EBS volumes that are unattached to an EC2 instance

    View Slide


  26. Provision

    Operate
    AWS Service Catalog: Secure self-service provisioning

    Enable
    Business agility + governance control

    View Slide

  27. Automate compliant account provisioning
    • Standardized account
    provisioning
    • Automatic enforcement of
    guardrails
    • Configurable network
    settings
    Account factory
    Network
    baseline
    Network
    CIDR
    Network
    regions
    OU Account
    baseline
    AWS Service
    Catalog
    AWS Service
    Catalog product
    New AWS account
    Network
    baseline
    Account
    baseline
    Guardrails
    Provision

    View Slide

  28. Enable secure self-service provisioning
    • Create best-practices templates with AWS CloudFormation or
    Terraform for commonly used products (Amazon EMR, Amazon EC2,
    etc.)
    • Create AWS Service Catalog products in the master AWS Control Tower
    account
    • Distribute products via Organizations to all of your AWS Control Tower
    managed accounts

    View Slide


  29. Provision

    Operate
    AWS Control Tower: Easiest way to set up and govern
    at scale

    Enable
    Business agility + governance control

    View Slide

  30. Operate with agility + control Operate
    Dashboard
    Continuous visibility into
    your multi-account
    environment
    Act
    Take operational
    action on resources
    Audit
    Audit resource
    configurations, user access,
    and policy enforcement
    Monitor
    Monitor resources
    and workloads

    View Slide

  31. Demo

    View Slide

  32. We thought we did this…

    View Slide

  33. But…

    View Slide

  34. AWS services that enable agility + governance
    AWS Control Tower
    AWS Organizations
    AWS Service Catalog
    AWS Well-Architected Tool
    AWS Budgets
    AWS License Manager
    AWS Marketplace (Private Marketplace)
    AWS CloudTrail
    AWS Config
    AWS Security Hub
    Amazon CloudWatch

    View Slide

  35. AWS Control Tower capabilities
    • Framework for creating and baselining a multi-account environment using AWS
    Organizations
    • Initial multi-account structure including security, audit, & shared service requirements
    • An account vending machine that enables automated deployment of additional
    accounts with a set of managed and monitored security baselines
    • A management console that shows compliance status of accounts
    • The ability to apply AWS best practice guardrails and Blueprints to accounts at
    account creation
    • The ability to detect and report on any drift / changes that have occurred that
    deviate from initial configuration options
    Account Management
    • User account access managed through AWS SSO federation
    • Integration options with other 3rd party SSO providers
    • Cross-account roles enable centralized management
    Identity &
    Access Management
    • Multiple accounts enable separation of duties
    • Initial account security and AWS Config rules baseline
    • Network baseline
    Security & Governance

    View Slide

  36. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
    Thank you!
    Dennis Kieselhorst, Sr. Solutions Architect
    [email protected]
    Feedback form: https://amzn.to/35cfKWx

    View Slide